IE default page problem

Discussion in 'privacy problems' started by tinomen, Oct 31, 2004.

Thread Status:
Not open for further replies.
  1. tinomen

    tinomen Registered Member

    Joined:
    Oct 31, 2004
    Posts:
    1
    ok so i got this dialer thing that keeps popping up the second i get on the net,so i get spybot s&d and also bhodemon and hijackthis. upon using hijackthis i notice a certain ~snip 213.159.117.134/index.php~snip something i had linked to a certain dialer that wont stop popping up. i had blocked this page with nortons and IE and yet everytime i opened up IE it went right back to this 213.159 page and when this page is loaded it downloads a file and changes your registry, and when this happened my nortons came up with a trojan/virus warning and i deleted the files(it downloaded 2 automatically) so i blocked these certain files and now when i load IE it still goes to that 213.159.117.134/index.php (aka cool web search as it titles itself) so i use hijack this to fix this and it says it changes but everytime i scan again its still there and my IE default page is the same(yes i tryed to change the default page through IE settings, it just doesnt do it something overwrites it), and i can find no leads to how to stop this WebDialer to pop up everytime i get on the net. so if anyone knows anything about this plz help here is the problem lines in my hijackthis



    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 213.159.117.134/index.phpoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 213.159.117.134/index.php

    thankyou,
    ryan
     
    Last edited by a moderator: Oct 31, 2004
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I think you have been hit by a spyware called: CWS
     
  3. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    I'm not sure he's coming back.
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    CWS is very lethal.
     
  5. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    He has not given permission for us to see his email address either.

    Jimbob
     
  6. Jumpe4

    Jumpe4 Guest

    I got something similar to CWS. To get here without reloading viruses I pressed furiously on 'esc'. My virus removal software has scanned 3 times today, Ad-aware is going for the second time now - with deep level options.
    If you don't see me anymore then I lost you or met my destiny. My plan is to search for the string hxxp: //213.159.117.134/index.php in the registry once the virusscan and the spyware scan is done. And second to delete änything that points to that string (or address). Wish me luck. The spyware scanning found this....
    Vendor:possible Browser Hijack attempt
    Category:Misc
    Object Type:File
    Size:77 Bytes
    Location:c:\windows\favorites\imported bookmarks\search\looksmart.url
    Last Activity:11.11.2004 22:00:00
    Risk LevelLow
    Comment:Item referrs to blacklisted
    Site:hxxp:// home.netscape.com/bookmark/4_73/looksmart.html
    Description:possible attempt to control\redirect the browser. This object
    referrs to a "blacklisted" site.

    see you again soon
     
  7. Jumpe4

    Jumpe4 Guest

    DO NOT FOLLOW THE LINK

    I'm still struggling. But dont follow the links in the previous post. They WILL infect your computer too... sorry.
     
  8. Jumpe4

    Jumpe4 Guest

    Solution found

    There was a file \system\systime.exe that I removed after restarting my computer in "Safe Mode".
    After that I looked for the "213.159.117.134" string in registry positions (Software\Microsoft\Internet Explorer\Main) that appear for Current User,
    Local Machine and Users. Removed entries with them (and some other
    garbage that I gould identify - most likely from previous attacks).
    The an exit of the registry and reboot. Explorer appeared cleaner than it should. The homepage needed to be set by adding the Homepage in Internet Explorer properties. Right Click on the Explorer icon on the desktop.

    System seems ok now.

    Next take a jump to IE Internet settings and add this to the untrusted domains in the security tab.
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Jumpe4, and welcome to Wilders.

    It sounds like you have it a bit more under control, but to ensure your computer is completely clean you may want to follow the steps listed here:
    General Cleaning Instructions. Then follow-up with posting a HijackThis log at one of the sites that do HijackThis log analysis.

    Edit - A bit about the file systime.exe: Sophos - Troj/StartPa-CR It is a CoolWebSearch parasite variant.

    Regards,

    snap
     
    Last edited: Nov 12, 2004
Loading...
Thread Status:
Not open for further replies.